IETF Logo Mail Archive

Re: [IPsec] Garage door - let's pick a different example

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 26 July 2014 17:34 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4621A0377 for <ipsec@ietfa.amsl.com>; Sat, 26 Jul 2014 10:34:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtnIwF9AA1zX for <ipsec@ietfa.amsl.com>; Sat, 26 Jul 2014 10:34:39 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02C2A1A031B for <ipsec@ietf.org>; Sat, 26 Jul 2014 10:34:38 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id n3so2433546wiv.5 for <ipsec@ietf.org>; Sat, 26 Jul 2014 10:34:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=oTvhT+bVf6NSZ9X748S9dG/LfeWdFuGk9v4GOs4Vxgo=; b=beEZ7C0xtHRCaJy0BYtJ1z4pV0M7tKl8DiYIkwtAYt2KlgvvcuLvg4vVifT21Fa1Ku wlouKsFYbJr1ruTJhckmkLhUJcQFDThZ1UX2u4ToHTQ/16CNOAX0xn5+v6W5CalMTTHT PMLa/8cz4LMRRUuBTSxuZa8YURjD1/NpDrK4mtVuH0oOCycE2cNxyFMIYtdSXwoOmU9s Hyk58ryndbikROgV0OYet1jesmgPJCxX4ATVz5XQaAMPUt3mqkP1pFPaGXMfNVP1vFbz TGnTf4Gw1lZqnYxLKradAJwhPSy+e2j8wrMji8cM0EGBJw7dpYX/qPGysQsi4x5qQwbq 4bEQ==
X-Received: by 10.180.75.17 with SMTP id y17mr14870497wiv.3.1406396077580; Sat, 26 Jul 2014 10:34:37 -0700 (PDT)
Received: from [10.0.0.6] (bzq-79-178-15-7.red.bezeqint.net. [79.178.15.7]) by mx.google.com with ESMTPSA id fw4sm9591954wib.19.2014.07.26.10.34.36 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 26 Jul 2014 10:34:37 -0700 (PDT)
Message-ID: <53D3E6AA.9090500@gmail.com>
Date: Sat, 26 Jul 2014 20:34:34 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
References: <53D287BA.2070104@gmail.com> <21458.58173.437081.804657@fireball.kivinen.iki.fi>
In-Reply-To: <21458.58173.437081.804657@fireball.kivinen.iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Pj228t4dG0uVZpqks3i1X8xOBD0
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] Garage door - let's pick a different example
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 17:34:40 -0000

On 07/26/2014 02:07 AM, Tero Kivinen wrote:
> Yaron Sheffer writes:
>> This might sound like a nit, but we have this text in the draft, as
>> a use case for null auth:
>>
>> "User wants to get some simple action from the remote device. Consider garage
>> door opener: it must authenticate user to open the door, but it is not
>> necessary for the user to authenticate the door opener.  In this case one-way
>> authentication is sufficient."
>>
>> The problem is, this is an incorrect protocol. Specifically, a MITM (who might
>> be physically located by the kitchen door), could redirect the protocol
>> exchange to a door different from the one I intended to open. Seeing that
>> nothing happens, I will simply press the remote again and open the garage
>> door, too.
>>
>> This is of course a generic problem, where unauthenticated protocols have
>> unforeseen consequences.
>
> No, that is not caused by the unauthenticated protocol, but caused by
> the same device to be used with two different doors. Even if the
> device would do full authentication and would verify that the door is
> in his list of doors which can be opened, attacker could still do the
> same thing.
>
> Only way to get rid of that, would be to either put display on the
> device telling which door responded, or put multiple buttons to the
> device and you would have to bind each button to exactly one door
> (i.e. each button using separate key or shared secret).
>
> And, not you do not even need man in the middle in cryptographic
> sense, just rerouting the packets from the air to the other
> destination would be enough.
>
> So for that kind of uses the device would need to be tied to exactly
> one door...
>

What you're saying is that to secure this system, we need authentication 
of the device, either at the IKE level or at the application level (plus 
UI improvements). I agree, and suggest again that this is not a good use 
case for null or one-way authentication.

Thanks,
	Yaron

v2.23.0 | Report a Bug | By Email